6 Replies Latest reply on Nov 10, 2016 8:15 AM by mredel RSS
    jacekgra Apprentice

    Remote Thing - retrieve appkey/user which was used to connect device?

    Is it possible to retrieve appKey or user which was used to connect RemoteThing (via EMS/SDK-based agent) in Thingworx?

     

    I must have information which user connected particular device (devices are being connected with appKey generated for users).

      • Re: Remote Thing - retrieve appkey/user which was used to connect device?
        aanjan Heavyweight Champ

        Jacek, there isn't a direct way at the moment to get historical data on which user/ appKey was authenticated to connect to a Remote Thing.

         

        With that being said, one thing you can try is exporting your Remote Thing, open the xml, and look under the 'ConfigurationChange' section. That has historical information on when it was created, who modified it etc.

          • Re: Remote Thing - retrieve appkey/user which was used to connect device?
            jacekgra Apprentice

            Dear Aanjan,

             

            Unfortuntally I will find only entity info there, not information about the credentials (appkey) that was used to connect the device. I am digging deeply in the platform but it seems that there is no way to achieve it besides broadcasting the appkey as a additional remote property directly from the agent.

             

            I think it would be great improvement to introduce funcionality which could determine the appkey that was used in order to connect device via WS.

              • Re: Remote Thing - retrieve appkey/user which was used to connect device?
                mredel Apprentice

                Please don't broadcast the appKey as a property as potentially you can leak it to a user who has readonly rights on the Thing. Then that malicious user can use intercepted appKey to create new Things in the system or access services user should not have access to.

                  • Re: Remote Thing - retrieve appkey/user which was used to connect device?
                    jacekgra Apprentice

                    Maciej,

                    The plan is to separate Thingworx users with Organizations, so created Thing will be only visible for the user that are assigned to the same Organizations (and all users from given organization are going to use shared appKey). So there is no way that user from other organization will even see Things that are broadcasting appkey. You think it is secure enough?

                      • Re: Remote Thing - retrieve appkey/user which was used to connect device?
                        mredel Apprentice

                        I still don't like the idea of storing appKey on property - what if user changes organisation? What if user demoes application to somebody from outside of organization and 3rd party can grab the appKey value?

                         

                        What about following - on the Agent side calculate some sort of a hash of the appKey. It must be one directional, deterministic hash (no way to de-code original appKey).

                         

                        On the Platform have a mapping between hashes and usernames.

                        You mentioned that you have 1 appKey per organization. So this mapping table will not be large and should be easy to maintain. Flow:

                        1) create new Org

                        2) generate appKey for org user

                        3) generate hash

                        4) add hash to map (hash, org_user)

                         

                        When new Thing is registered and the hash value is transmitted from the device, do a lookup and store username on 'registeredBy' property or similar.

                        Worst case scenario you expose username to 3rd party but that is not enough to perform attack.

                         

                        Hth

                        M

                    • Re: Remote Thing - retrieve appkey/user which was used to connect device?
                      aanjan Heavyweight Champ

                      As Maciej noted, this would be a big security risk. You can log into ThingWorx with just the appKey, and based on the permissions set (for that user/ appKey), it would be pretty easy to change anything.

                       

                      With exporting the Thing, you can see what user accessed it. An appKey is created with a user context, so you will have an idea what 'user' was used, but not from an appKey standpoint.